Google Desktop Risk

March 1, 2006

GDesktopGoogle has announced the latest version of Google Desktop. I tested the previous versions of the product with satisfaction. The searches were fast, the documents, e-mails and files showed were also good and relevant for the search keys used and the indexing process was well designed acting only when the computer had idle times. The “missing” feature was the limitation of searching only in the local file space. This limitation has been removed in this new version and, in addition, Google stores a copy of the index on the company’s servers. The company argues that the index will be retained only for 30 days and it will be protected and encrypted and Google will not compromise the information on the indexes. What will be use of this information? Actually , I don’t know; but it wouldn’t be a surprise that it could be used within other services like Gmail, Google maps or Orkut or for other unspecified data mining purposes. As the matter of fact we must trust Google and trust that this information will be well protected within their complex network.

From my point of view, with this issue arise two important risks:

  • Although the information will be encrypted before it is transmitted to google’s servers it does not . Somehow the information could be intercepted by strangers.
  • When the information is stored in the servers it could be viewed by other (inside or outside Google) specially if it’s integrated with other services.

These risks are quite high not because the control in place are weak but because the information stored in our desktop. Individuals and organizations have the more sensitive information stored in personal folders and mail inboxes. That is the impact of an eventual data theft will affect this very information.

Recommendation: Asses if it worth it and consider the use of enterprise search solutions.

StrategIT Tip: Information and meta information should be controlled. Some desktop applications could undermine our protections. To monitor the security and privacy impact of this applications should be an intelligent habit of managers.

RFID privacy and more

February 22, 2006


Radio Frequency ID tags are wonderful! Hi-tech embedded in a thin plastic band. Cheap, flexible, powerful and useful for a wide-range of applications; but since its popularisation there is some controversy about the security and privacy issues. Civil rights groups and privacy-concerned public are claming against the use of this devices and demanding government regulations. The are right, but just partially. Some cases could be pretty sound like pharmaceutics –really I don’t want that someone knows that I’ve got Viagra in my briefcase!- , but if the company uses RFID to manage inventory, supply-chain or maintenance processes. It is affecting anybody’s privacy?

The privacy problems are mainly two, one technical and the other psychological:

  • They must be low-cost devices and therefore they can implement only a limited set of algorithms for encryption and authentication mechanisms. News like this one (Yes is the S from RSA!) show the reality of RFID security. Now it’s just an isolate experiment, but recent events in the security market .(A good example is the WEP encryption standard for WiFi networks, in only months the Wire-equivalent-Protection become synonymous of insecurity)
  • The fear to progress forces and technology changes. Politics and lobbing agents also matters, but, of course, they need some gas in form of public support. Here, unfortunately is messier to deal with.

In addition, some other managerial questions are also relevant. If some critical processes are relying on information gathered by RFID infrastructures, there some question we should answer (a first approach):

  • There is some concern and aware of RFID Risks?
  • Is your organization managing policies and procedures related to RFID and complying current regulation?
  • Are controls in place to assure that RFID tags are properly issued and scraped?
  • Are controls in place to assure that RFID infrastructure systems are tracking all items with reliability?
  • Are the RFID tags properly deactivate to safeguard clients or suppliers privacy?
  • Who is accountable of all this stuff?

Let me show a simple example: A regular task for financial auditors is to estimate inventory accounts based on physical inventories using samples. What if your systems provide a quasi-physical inventory based on RFID warehouse facility?. Should the auditor relay totally on this data? Should the auditor work if the were no RFID system?. I let the answer to the reader

Pending task: How about a good IT Audit program for RFID enviroments?

Strategy Tip: Don’t forget, new emerging technologies come together with “emerging” risks.

OS X Malware born

February 19, 2006

XOS WORMSooner or later markets reach equilibrium. Computer virus markets, like others, are not different indeed. Some users of Mac environments thought they were safe from viruses but it is now part of a myth. The past 16th November was discovered the 1st worm for Apple’s OSX. It is not much aggressive; it is just a proof of concept that malware is not only possible but a real menace on this platform.

Apple’s strategy of migrating their platform from Power PC to Intel could be a signal that OS X could become a much more popular OS in the future. If Apple’s countermeasures against copy and deployment of OS X on standard PC ( Today it’s possible but illegal) fails, the population of OSX-suited (or hybrid) malware will increase soon. Malware it’s not about technology it’s a market phenomenon.